Skip to content

DevSecOps Pipeline using SAST + DAST and SCA tools

License

Notifications You must be signed in to change notification settings

lautitoti/gha-devsecops

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 

Repository files navigation

DevSecOps Pipeline - GitHub Actions

DevSecOps Pipeline using free SAST, DAST and SCA tools

How it works?

This GitHub Action runs Snyk, SonarCloud and OWASP ZAP on your repository to check for security issues and vulnerabilities in your code and your third-party dependencies.

SCA - Software Composition Analysis

This is provided by Snyk, all you need is a Snyk account and add the Snyk token as a secret.

SAST - Static Application Security Testing

This is provided by SonarCloud, the SaaS version of SonarQube, all you need is a SonarCloud account and add the Sonar token as a secret. Also need to create the sonar-project.properties to your repository root.

DAST - Dynamic Application Security Testing

This is provided by OWASP ZAP, an open-source web proxy tool from OWASP.org. We are only leveraging the Automated Scanning features of ZAP. You only need to point ZAP to scan the application once it is built.

References:

SonarCloud GHA - https://github.com/marketplace/actions/sonarcloud-scan

Snyk GHA - https://github.com/marketplace/actions/snyk

OWASP ZAP GHA - https://github.com/marketplace/actions/owasp-zap-baseline-scan

About

DevSecOps Pipeline using SAST + DAST and SCA tools

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published